Re: [Samba] Joining domain works - logging in doesn't
On 22/10/2010 18:45, Dale Schroeder wrote: Jonathan, A guess -- I had the same error message and similar log entries because I had set server signing = auto The 3.5.x PDC would work only with the default No. That was it Dale! Many thanks. Jon. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Joining domain works - logging in doesn't
I'm building a replacement samba 3.5.6 domain controller to replace an old 3.0 one. Some other things are changing too. Our user accounts are now in LDAP rather than flat files (although the machine trust accounts will remain in a flat file), but that should be hidden from samba as it's going to be done through NSS. The smbpasswd file is a TDB file and will remain so. Our users don't authenticate with any native services on the server other than samba and PAM hasn't been configured to use LDAP. Samba was built with --without-pam as it authenticates using its own smbpasswd file and nothing else will need to authenticate that way. Our intention is to move over to an entirely LDAP based system, but we're doing that a stage at a time. So far, so good. Samba duly starts and I can join an XP PC to the domain without an issue. But when I try to log into the domain using my username I get: The system cannot log you on now because the domain KIS2 is not available nmblookup happily returns querying KIS2 on 160.5.10.3 160.5.10.3 KIS21c so it looks like its registered as a domain controller happily and besides, PC's can join the domain. I can mount shares from the server using my username and I can see the IPC$ share anonymously. I can log into the PC using a local account and mount shares using my username. Anonymous login successful Domain=[KIS2] OS=[Unix] Server=[Samba 3.5.6] Sharename Type Comment - --- IPC$IPC IPC Service (Keele I.T. Services) Anonymous login successful Domain=[KIS2] OS=[Unix] Server=[Samba 3.5.6] Server Comment ---- OATCAKE Keele I.T. Services WorkgroupMaster ---- KIS2 OATCAKE Oatcake is the samba server and nmblookup shows it with the right IP address. Testparm shows the critical options as: map untrusted to domain = Yes domain logons = Yes domain master = Yes So I can't see an obvious problem there. So clearly I've made some sort of obvious error somewhere that escapes me. At the risk of appearing foolish amongst my peers I am posting in the hope that you can point me in the direction I need to investigate. I'll include the end of the log.smbd running at debug level 5 which shows the logon process access the IPC$ share and then the connection being dropped. 2010/10/22 12:01:55.413644, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/10/22 12:01:55.413761, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/10/22 12:01:55.413789, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/10/22 12:01:55.413810, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/10/22 12:01:55.413832, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2010/10/22 12:01:55.413853, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2010/10/22 12:01:55.413896, 5] passdb/pdb_interface.c:1473(lookup_global_sam_rid) lookup_global_sam_rid: looking up RID 513. [2010/10/22 12:01:55.413959, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2010/10/22 12:01:55.413985, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2010/10/22 12:01:55.414007, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2010/10/22 12:01:55.414029, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2010/10/22 12:01:55.414050, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2010/10/22 12:01:55.414460, 5] passdb/pdb_tdb.c:609(tdbsam_getsampwrid) pdb_getsampwrid (TDB): error looking up RID 513 by key RID_0201. [2010/10/22 12:01:55.414652, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/10/22 12:01:55.414690, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/10/22 12:01:55.414718, 3] auth/auth.c:265(check_ntlm_password) check_ntlm_password: guest authentication for user [] succeeded [2010/10/22 12:01:55.414742, 5] auth/auth.c:304(check_ntlm_password) check_ntlm_password: guest authentication for user [] - [] - [nobody] succeeded [2010/10/22 12:01:55.414765, 5] auth/auth_util.c:2119(free_user_info) attempting to free (and zero) a user_info structure [2010/10/22 12:01:55.414819, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/10/22 12:01:55.414846, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/10/22 12:01:55.414868, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) -
Re: [Samba] Joining domain works - logging in doesn't
Jonathan, A guess -- I had the same error message and similar log entries because I had set server signing = auto The 3.5.x PDC would work only with the default No. Dale On 10/22/2010 6:06 AM, Jonathan Knight wrote: I'm building a replacement samba 3.5.6 domain controller to replace an old 3.0 one. Some other things are changing too. Our user accounts are now in LDAP rather than flat files (although the machine trust accounts will remain in a flat file), but that should be hidden from samba as it's going to be done through NSS. The smbpasswd file is a TDB file and will remain so. Our users don't authenticate with any native services on the server other than samba and PAM hasn't been configured to use LDAP. Samba was built with --without-pam as it authenticates using its own smbpasswd file and nothing else will need to authenticate that way. Our intention is to move over to an entirely LDAP based system, but we're doing that a stage at a time. So far, so good. Samba duly starts and I can join an XP PC to the domain without an issue. But when I try to log into the domain using my username I get: The system cannot log you on now because the domain KIS2 is not available nmblookup happily returns querying KIS2 on 160.5.10.3 160.5.10.3 KIS21c so it looks like its registered as a domain controller happily and besides, PC's can join the domain. I can mount shares from the server using my username and I can see the IPC$ share anonymously. I can log into the PC using a local account and mount shares using my username. Anonymous login successful Domain=[KIS2] OS=[Unix] Server=[Samba 3.5.6] Sharename Type Comment - --- IPC$IPC IPC Service (Keele I.T. Services) Anonymous login successful Domain=[KIS2] OS=[Unix] Server=[Samba 3.5.6] Server Comment ---- OATCAKE Keele I.T. Services WorkgroupMaster ---- KIS2 OATCAKE Oatcake is the samba server and nmblookup shows it with the right IP address. Testparm shows the critical options as: map untrusted to domain = Yes domain logons = Yes domain master = Yes So I can't see an obvious problem there. So clearly I've made some sort of obvious error somewhere that escapes me. At the risk of appearing foolish amongst my peers I am posting in the hope that you can point me in the direction I need to investigate. I'll include the end of the log.smbd running at debug level 5 which shows the logon process access the IPC$ share and then the connection being dropped. 2010/10/22 12:01:55.413644, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/10/22 12:01:55.413761, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/10/22 12:01:55.413789, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/10/22 12:01:55.413810, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/10/22 12:01:55.413832, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2010/10/22 12:01:55.413853, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2010/10/22 12:01:55.413896, 5] passdb/pdb_interface.c:1473(lookup_global_sam_rid) lookup_global_sam_rid: looking up RID 513. [2010/10/22 12:01:55.413959, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2010/10/22 12:01:55.413985, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2010/10/22 12:01:55.414007, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2010/10/22 12:01:55.414029, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2010/10/22 12:01:55.414050, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2010/10/22 12:01:55.414460, 5] passdb/pdb_tdb.c:609(tdbsam_getsampwrid) pdb_getsampwrid (TDB): error looking up RID 513 by key RID_0201. [2010/10/22 12:01:55.414652, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/10/22 12:01:55.414690, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/10/22 12:01:55.414718, 3] auth/auth.c:265(check_ntlm_password) check_ntlm_password: guest authentication for user [] succeeded [2010/10/22 12:01:55.414742, 5] auth/auth.c:304(check_ntlm_password) check_ntlm_password: guest authentication for user [] - [] - [nobody] succeeded [2010/10/22 12:01:55.414765, 5] auth/auth_util.c:2119(free_user_info) attempting to free (and zero) a user_info structure [2010/10/22 12:01:55.414819, 3] smbd/sec_ctx.c:210(push_sec_ctx)